SXSW Apps Exposed Panel Re-cap (#MobileRisk)

Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, I had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. With me on the panel was Alan Murray, Senior VP of Products at Apperian and Erich Stuntebeck, Director of Mobile Security at AirWatch. Fahmida Rashid, Analyst for PC Mag, moderated the event.

Questions initially focused on malicious app behaviors such as accessing private user data, SMS history and GPS tracking as well as spyphone apps, rooting apps and the increased focus on exploiting mobile devices. All panelists agree that obtaining apps from either Google Play or Apple’s Application Store are the safest ways to go, but that there is still risk involved with using any app – especially those which interact with sensitive information.

A great case and point to this is the recent WhatsApp security oversight, detailed in this blog post. Basically another installed app could easily offload and decrypt saved SMS history with only needing two permissions, internet and access to the SD card – both very common to the vast majority of apps. This is especially concerning considering WhatsApp has over 450 million users, many who install apps from 3rd party sources. It also further demonstrates that security is not being prioritized during the app development process. While WhatsApp was using encryption to protect saved SMS history, the use and public availability of a decryption tool made their encryption irrelevant.

Questions also focused on security differences between iOs and Android. There is a widespread belief that iOS is more secure, however the discovery of the SSL ‘gotofail’ exploit has definitely shaken things up. Last year Android suffered a similar critical exploit, known as ‘Master Key,’ which enabled an installed app to replace the code of an existing app and piggyback its permissions. Both of these discoveries will not be the last of their type and are good examples of how difficult it is to design secure systems – even when that is a top priority. Apple does have an advantage with iOS as they manufacture all iOS devices. When a security patch is released, they can quickly update all iPhones and iPads. Google’s Android is in an entirely different boat. While Google does make devices which support Android, they are one of dozens. This has created an uneven landscape where millions of devices are using older, more vulnerable versions of Android which contain many known, and since fixed, exploits. The trouble is, these users lack an easy way to upgrade to the latest and most secure version.

During the course of the panel’s discussion, a few key themes emerged. One is that app developers play a big role in user privacy. They have the ability and technology to handle private data securely – but doing so hasn’t been a priority or focus. The other is that users should not be overly burdened with the responsibility of keeping their private data secure. Encrypting data shouldn’t be a user decision, it should happen, by default, through the application. Authentication is another area in need of improvement. Four digit pins and swipe screens are not sufficient. The panel was optimistic that future biometrics technology will greatly improve authentication and provide a seamless experience without the burden of passwords.

In all, it was a great event and there is a lot of interest in improving data security and privacy on our mobile devices. Continued discussions like this are essential to the advancement of new technology and the mobile security space is ripe for improvements.